1 1 00:00:01,150 --> 00:00:02,330 Right, so the first step 2 2 00:00:02,330 --> 00:00:06,260 into the server-side attacks is information gathering. 3 3 00:00:06,260 --> 00:00:08,120 Information gathering is very important 4 4 00:00:08,120 --> 00:00:11,540 because it will show us the operating system of the target, 5 5 00:00:11,540 --> 00:00:14,290 the installed programs or the running services 6 6 00:00:14,290 --> 00:00:18,050 on the target, the ports associated with the services. 7 7 00:00:18,050 --> 00:00:19,910 Now from these installed services, 8 8 00:00:19,910 --> 00:00:22,270 we can try and get into the system. 9 9 00:00:22,270 --> 00:00:25,290 We can do this by trying the default passwords 10 10 00:00:25,290 --> 00:00:26,960 and we've seen this before 11 11 00:00:26,960 --> 00:00:29,010 in the network penetration testing part 12 12 00:00:29,010 --> 00:00:33,380 where the iPad had SSH service installed, 13 13 00:00:33,380 --> 00:00:36,700 which basically give you full access to the computer 14 14 00:00:36,700 --> 00:00:39,080 if the person still uses the default password, 15 15 00:00:39,080 --> 00:00:40,293 which was alpine. 16 16 00:00:41,330 --> 00:00:43,370 So we can do this with any other service 17 17 00:00:43,370 --> 00:00:45,820 and we'll see another example here today. 18 18 00:00:45,820 --> 00:00:48,373 Another thing that we can do is there's a lot of people 19 19 00:00:48,373 --> 00:00:51,710 that install services and misconfigure them. 20 20 00:00:51,710 --> 00:00:53,680 So we'll have another example of this. 21 21 00:00:53,680 --> 00:00:56,910 So sometimes a lot of these services are designed 22 22 00:00:56,910 --> 00:01:01,300 to give some remote person some access to that computer 23 23 00:01:01,300 --> 00:01:02,360 but they obviously 24 24 00:01:02,360 --> 00:01:04,590 need to have some security implementations. 25 25 00:01:04,590 --> 00:01:07,570 People often misconfigure these services 26 26 00:01:07,570 --> 00:01:11,530 so we can take advantage of these misconfigurations 27 27 00:01:11,530 --> 00:01:14,300 and gain access to these computers. 28 28 00:01:14,300 --> 00:01:16,970 Another problem with these services, 29 29 00:01:16,970 --> 00:01:18,920 some of them might even have backdoors 30 30 00:01:18,920 --> 00:01:20,600 and we'll see an example of that. 31 31 00:01:20,600 --> 00:01:23,460 And a lot of them would have vulnerabilities 32 32 00:01:23,460 --> 00:01:25,600 such as remote buffer overflows 33 33 00:01:25,600 --> 00:01:29,100 or code execution vulnerabilities that allow us to again, 34 34 00:01:29,100 --> 00:01:31,640 gain full access to that computer. 35 35 00:01:31,640 --> 00:01:34,360 Now, the simplest way on doing this is something 36 36 00:01:34,360 --> 00:01:37,040 that we've seen before which is using Zenmap. 37 37 00:01:37,040 --> 00:01:40,810 So we use Zenmap using the IP, we get a list 38 38 00:01:40,810 --> 00:01:44,090 of all of these services and then google maybe each one 39 39 00:01:44,090 --> 00:01:47,960 of them and see if they contain any vulnerabilities. 40 40 00:01:47,960 --> 00:01:50,380 Now we've seen how we use Zenmap before 41 41 00:01:50,380 --> 00:01:53,670 but I just wanna convey the idea of anything is a computer 42 42 00:01:53,670 --> 00:01:56,700 and we've seen before how the Metasploitable device, 43 43 00:01:56,700 --> 00:01:58,660 this device is actually a website, 44 44 00:01:58,660 --> 00:02:00,070 it has a web server running. 45 45 00:02:00,070 --> 00:02:02,460 So websites are nothing different than this. 46 46 00:02:02,460 --> 00:02:05,250 If you want to get an IP of a website, all you have to do 47 47 00:02:05,250 --> 00:02:07,370 is just do a ping, so for example, 48 48 00:02:07,370 --> 00:02:10,010 if we're targeting Facebook, so all we have to do 49 49 00:02:10,010 --> 00:02:15,010 is do ping facebook.com and we'll get their IP right here. 50 50 00:02:15,320 --> 00:02:18,050 So we have Facebook's IP and we'll be able 51 51 00:02:18,050 --> 00:02:21,180 to run Zenmap against it and gain a list 52 52 00:02:21,180 --> 00:02:23,290 of all the running services on Facebook. 53 53 00:02:23,290 --> 00:02:24,640 Now, obviously, I'm not gonna do that 54 54 00:02:24,640 --> 00:02:27,950 because I'm not allowed to do that, what I'm going to do is 55 55 00:02:27,950 --> 00:02:31,150 I'm gonna run Zenmap against this Metasploitable device, 56 56 00:02:31,150 --> 00:02:33,430 which basically is a computer device 57 57 00:02:33,430 --> 00:02:36,070 and that's what we're interested into testing. 58 58 00:02:36,070 --> 00:02:39,350 So again, I can't really stress this anymore, 59 59 00:02:39,350 --> 00:02:42,820 anything is a computer, whether it's a website, a server, 60 60 00:02:42,820 --> 00:02:46,790 any online service, a phone, anything is a computer 61 61 00:02:46,790 --> 00:02:50,500 so you can go about penetration anything the same way. 62 62 00:02:50,500 --> 00:02:53,810 So I'm gonna run Zenmap just with, this is the same way 63 63 00:02:53,810 --> 00:02:55,970 that we did before so I'm gonna go on my activities, 64 64 00:02:55,970 --> 00:03:00,963 I'm just gonna look for Zenmap and here is Zenmap 65 65 00:03:02,120 --> 00:03:06,300 and I'm gonna put the IP of my target 66 66 00:03:06,300 --> 00:03:10,540 of the Metasploitable device, which was 10, 14, 04. 67 67 00:03:12,780 --> 00:03:15,270 So remember, in the network penetration testing part, 68 68 00:03:15,270 --> 00:03:18,200 we used to put the base IP and put it over 24 69 69 00:03:18,200 --> 00:03:20,930 to cover all the IPS around us in the network. 70 70 00:03:20,930 --> 00:03:24,560 In this case, you might be testing a remote IP 71 71 00:03:24,560 --> 00:03:26,840 so for example, in the Facebook case, all we have to do 72 72 00:03:26,840 --> 00:03:31,680 is just put the Facebook target IP in there and test it. 73 73 00:03:31,680 --> 00:03:34,130 Now that's granted that you have permission to do that. 74 74 00:03:34,130 --> 00:03:36,330 Now I don't have permission so I'm not gonna do that. 75 75 00:03:36,330 --> 00:03:38,740 What I have permission to do is test my own device 76 76 00:03:38,740 --> 00:03:40,950 which is installed on the same network as me 77 77 00:03:40,950 --> 00:03:43,510 so that's why I'm putting that IP but you can literally put 78 78 00:03:43,510 --> 00:03:46,190 any IP you want in there and test it. 79 79 00:03:46,190 --> 00:03:47,390 So I'm gonna hit on scan 80 80 00:03:49,180 --> 00:03:51,220 and this will give me a list of all 81 81 00:03:51,220 --> 00:03:53,500 the installed applications. 82 82 00:03:53,500 --> 00:03:56,690 Okay, so the scan is finished now and 83 83 00:03:58,680 --> 00:04:01,033 we have a lot of open ports, a lot of services. 84 84 00:04:02,070 --> 00:04:05,550 What I advise you to do in this case now if you wanna do 85 85 00:04:05,550 --> 00:04:09,600 a simple test is you literally go on ports, port by port, 86 86 00:04:09,600 --> 00:04:12,820 read what it is and google the name of the program. 87 87 00:04:12,820 --> 00:04:16,490 So for example, we have port 21 here, that's an FTP port. 88 88 00:04:16,490 --> 00:04:21,490 FTP is a service that allow, it's installed to allow people 89 89 00:04:21,940 --> 00:04:25,573 to upload or download files from the remote server. 90 90 00:04:27,800 --> 00:04:31,590 So we can see, usually FTP services use a username 91 91 00:04:31,590 --> 00:04:34,350 and password but you can see that this service 92 92 00:04:34,350 --> 00:04:38,570 has been misconfigured and it allows anonymous FTP login. 93 93 00:04:38,570 --> 00:04:41,690 So unlike the SSH that we used before 94 94 00:04:41,690 --> 00:04:43,820 in the network penetration testing we had, 95 95 00:04:43,820 --> 00:04:45,490 we use the default password. 96 96 00:04:45,490 --> 00:04:48,430 With this you'll be able to log in without a password. 97 97 00:04:48,430 --> 00:04:51,330 So all we have to do is download an FTP client 98 98 00:04:51,330 --> 00:04:55,080 such as FileZilla and you'll be able to connect 99 99 00:04:55,080 --> 00:04:58,740 using this IP address on port 21. 100 100 00:04:58,740 --> 00:05:01,290 Now I'm not gonna explain this 'cause it's very simple, 101 101 00:05:01,290 --> 00:05:04,770 you literally download the application and connect to it. 102 102 00:05:04,770 --> 00:05:07,430 What else you can do is you can google this, you can, 103 103 00:05:07,430 --> 00:05:10,550 this is an FTP server, you can literally google this 104 104 00:05:10,550 --> 00:05:12,510 and see if it has any issues, 105 105 00:05:12,510 --> 00:05:15,050 if it has any misconfigurations, 106 106 00:05:15,050 --> 00:05:19,850 if it has any known code execution exploits. 107 107 00:05:19,850 --> 00:05:23,170 So I know if you google this now, 108 108 00:05:23,170 --> 00:05:27,100 this particular application has a backdoor installed 109 109 00:05:27,100 --> 00:05:29,550 with it so it literally came with a backdoor 110 110 00:05:29,550 --> 00:05:31,260 when it was released. 111 111 00:05:31,260 --> 00:05:33,610 For now, I'd like to show you something simpler 112 112 00:05:33,610 --> 00:05:35,893 just so that we make this shorter. 113 113 00:05:37,300 --> 00:05:40,310 So as I said, you need to go in one by one, 114 114 00:05:40,310 --> 00:05:42,370 googling the services and checking 115 115 00:05:42,370 --> 00:05:46,530 if they have any misconfigurations or any exploits installed 116 116 00:05:46,530 --> 00:05:48,990 or if any known exploits. 117 117 00:05:48,990 --> 00:05:50,350 So what I'm going to do now is 118 118 00:05:50,350 --> 00:05:52,240 I'm gonna have a look on the 512. 119 119 00:05:52,240 --> 00:05:54,260 So let's assume we went on them one by one, 120 120 00:05:54,260 --> 00:05:59,000 we couldn't find anything and we reach the 512 TCP port. 121 121 00:05:59,000 --> 00:06:01,600 So I'm gonna copy this, this is the service 122 122 00:06:01,600 --> 00:06:03,080 that's running on this port. 123 123 00:06:03,080 --> 00:06:06,130 So literally, I don't know what's this so I'm gonna copy it, 124 124 00:06:06,130 --> 00:06:07,713 go on Google and google it. 125 125 00:06:13,500 --> 00:06:15,090 Okay, so we're gonna have a look 126 126 00:06:15,090 --> 00:06:17,743 on the first result that we got here. 127 127 00:06:20,160 --> 00:06:23,490 And we can see that this is a remote execution program 128 128 00:06:23,490 --> 00:06:25,720 so that's very nice, that's very cool. 129 129 00:06:25,720 --> 00:06:28,800 So if we manage to log in with this, we'll have, 130 130 00:06:28,800 --> 00:06:32,300 we'll be able to execute commands on the target computer 131 131 00:06:32,300 --> 00:06:36,910 and it uses the RSH rlogin, that's a program that ships 132 132 00:06:36,910 --> 00:06:40,710 with Linux that allows you similar to SSH you get in a way 133 133 00:06:40,710 --> 00:06:43,180 that lets you execute remote commands 134 134 00:06:43,180 --> 00:06:44,543 on the target computer. 135 135 00:06:45,450 --> 00:06:48,650 So let's go back and see how we can connect to this. 136 136 00:06:48,650 --> 00:06:50,340 So this is all cool. 137 137 00:06:50,340 --> 00:06:53,533 So let's see the package, what comes in with this package? 138 138 00:06:54,470 --> 00:06:56,150 So and you can see, this is Ubuntu 139 139 00:06:56,150 --> 00:06:59,763 so the target's computer system was running on Ubuntu. 140 140 00:07:00,900 --> 00:07:04,323 If we go back, so it's running on Ubuntu here. 141 141 00:07:06,610 --> 00:07:09,710 And you can see that in here, 142 142 00:07:09,710 --> 00:07:14,710 it uses the RSH client service to connect. 143 143 00:07:15,020 --> 00:07:18,660 So this is the package that you need to install 144 144 00:07:18,660 --> 00:07:20,070 to connect to this service. 145 145 00:07:20,070 --> 00:07:22,780 So and as you can see, it says client program 146 146 00:07:22,780 --> 00:07:25,020 for remote shell connection. 147 147 00:07:25,020 --> 00:07:30,020 So go, go back and let's install RSH client. 148 148 00:07:30,160 --> 00:07:33,190 So we usually as we did before, when we need 149 149 00:07:33,190 --> 00:07:37,670 to install something, we do apt-get and we do install 150 150 00:07:37,670 --> 00:07:39,400 and we'll write the name of the program 151 151 00:07:39,400 --> 00:07:41,653 that we want to install, so it's RSH. 152 152 00:07:45,170 --> 00:07:47,920 Now apt-get is gonna install it for me and configure it 153 153 00:07:50,420 --> 00:07:52,790 and once it's installed, we're gonna use rlogin 154 154 00:07:52,790 --> 00:07:55,880 to log in because remember the first page told us 155 155 00:07:55,880 --> 00:08:00,440 that it uses the rlogin program to facilitate login process. 156 156 00:08:00,440 --> 00:08:04,450 So I'm gonna do rlogin and again, I don't know 157 157 00:08:04,450 --> 00:08:06,700 how to use this app so I'm gonna do the help 158 158 00:08:07,600 --> 00:08:12,600 to see how to use it and we can see that the format 159 159 00:08:12,610 --> 00:08:16,499 is rlogin, you put the options that you want 160 160 00:08:16,499 --> 00:08:20,550 so what's important here is the username and the host, 161 161 00:08:20,550 --> 00:08:22,670 which is the target IP. 162 162 00:08:22,670 --> 00:08:26,730 So this is what we're gonna do, we're gonna do rlogin, 163 163 00:08:26,730 --> 00:08:29,023 we're gonna put the username as root. 164 164 00:08:30,210 --> 00:08:32,540 Again, we said root is the user 165 165 00:08:32,540 --> 00:08:35,530 with the most privileges on the system. 166 166 00:08:35,530 --> 00:08:39,853 And we'll put the target IP which is 10, 20. 167 167 00:08:45,190 --> 00:08:47,230 Now as you can see now, we are logged in 168 168 00:08:47,230 --> 00:08:49,450 to the Metasploitable machine here 169 169 00:08:49,450 --> 00:08:54,450 and if I do ID to get my ID, you can see that I am root. 170 170 00:08:55,840 --> 00:08:59,460 If I get where I am pwd, I'm in the root directory, 171 171 00:08:59,460 --> 00:09:00,733 I can list stuff. 172 172 00:09:02,420 --> 00:09:06,580 If I do a uname -a data list, the hostname 173 173 00:09:09,410 --> 00:09:11,130 and the kernel that's running on the machine 174 174 00:09:11,130 --> 00:09:12,450 and as you can see that I am 175 175 00:09:12,450 --> 00:09:15,940 in the Metasploitable machine with root access. 176 176 00:09:15,940 --> 00:09:20,940 So this was a manual way, a basic way of gaining access 177 177 00:09:21,060 --> 00:09:24,500 to the target computer only by a misconfiguration 178 178 00:09:24,500 --> 00:09:25,640 of an installed service. 179 179 00:09:25,640 --> 00:09:30,060 So the rlogin service was not configured properly, 180 180 00:09:30,060 --> 00:09:33,550 all we had to do is just google what came with that port 181 181 00:09:33,550 --> 00:09:36,730 and we managed to find or we managed to log in 182 182 00:09:36,730 --> 00:09:39,303 and gain full access to the target computer. 183 183 00:09:40,420 --> 00:09:43,900 Now again, the key point here is you do a Zenmap scan 184 184 00:09:43,900 --> 00:09:46,340 and then you go on each port that you find, 185 185 00:09:46,340 --> 00:09:48,250 you google that port and you'd be looking 186 186 00:09:48,250 --> 00:09:51,820 for misconfigurations, default passwords, 187 187 00:09:51,820 --> 00:09:54,530 if this target service came in with a backdoor 188 188 00:09:54,530 --> 00:09:57,840 or code execution, maybe it just wasn't programmed properly 189 189 00:09:57,840 --> 00:10:00,050 or it had a flaw that can be used 190 190 00:10:00,050 --> 00:10:01,730 to gain access to that computer. 191 191 00:10:01,730 --> 00:10:03,720 Now we'll have examples of these things 192 192 00:10:03,720 --> 00:10:05,443 in future videos as well.